Glossary
Terms of art
Every piece of jargon from the Trust & Safety series, defined in one place. The two deepest ones, hardware attestation and the Wilson score, have their own explainers.
- Allowlist
- An explicit list of things that are pre-approved and trusted, the opposite of a blocklist. Anything not on it is treated as unknown.
- App Attest
- Apple's hardware-backed service that lets an iPhone prove to your server that the app is genuine and running on real Apple hardware.Full explainer →
- Apple Hide My Email
- An Apple privacy feature that hands your app a random, throwaway forwarding address ending in `privaterelay.appleid.com` instead of the user's real email.
- Attestation provider
- The platform service that signed the proof a device is real: Apple's App Attest, Google's Play Integrity, and so on. The provider name tells you who vouched for the device.Full explainer →
- Blast radius
- How many real users get hurt if a change goes wrong. A high-blast-radius function is one where a mistake breaks a critical flow for a lot of people.
- Bootstrap window
- The brief moment right after an app launches when the attestation service hasn't finished setting up yet, so a real device temporarily produces no valid token.
- Callable function
- A backend function your app calls directly by name, with the user's identity and App Check token attached automatically, rather than a plain web URL anyone could hit.
- Civitai
- A third-party AI image platform we call to run some generations. Every job that uses it costs us real money.
- Clock skew
- How far off a device's clock is from the real time. Attestation tokens expire quickly, so a phone whose clock is more than a few minutes wrong fails verification even though it's legitimate.
- Cloud Logging
- Google's managed service that stores a searchable record of everything your backend does. Think of it as a diary your infrastructure writes automatically.
- Cohort
- A group of users who share a trait, like a sign-up week or a time zone. One cohort's behavior can look very different from another's, which is why a short observation window can mislead.
- Concurrency cap
- A limit on how many generation jobs one account can have running at the same time. Extra jobs wait until a slot opens.
- Config drift
- When a setting gets changed in one place (say an admin UI) but the code that should read it never does, so the knob has no effect and nobody notices, because there's no behavior change to watch for.
- Debug token
- A stand-in token App Check generates during development so your own machines and test devices count as legitimate without real hardware attestation. You register it by hand.
- Device bit
- One of the two on-off flags DeviceCheck stores on a physical iPhone. We set one to mark, permanently, that a device has already claimed a starter grant.Full explainer →
- DeviceCheck
- An Apple service that lets your server store two tiny bits of state tied to a physical device. The bits survive app deletion, reinstalls, and even a factory reset.Full explainer →
- Diffie token (Đ)
- Diffusitron's in-app currency, written Đ. Users spend it to generate images; a starter grant is a small handful of them.
- Dry run
- A pass through the full logic that computes exactly what it would do and then does nothing, so you can check the numbers before anything irreversible happens.
- enforceAppCheck
- The switch on a backend function that makes App Check stop being advisory and start actually rejecting any request that can't prove it came from your app.
- Fail open
- Choosing to let a request through when a safety check fails for technical reasons, rather than block it, so a glitch never strands a legitimate user.
- Failure-rate cooldown
- A wait triggered not by speed but by how often your recent submissions fail moderation. Cross a failure ratio and you pause for a while, regardless of how much you can afford.
- Fal
- A third-party GPU inference provider (fal.ai) we call to run some generations, also at a real per-call cost.
- False negative
- When a safety check lets an actual bad actor slip through. Usually the cheaper mistake: you eat a small loss and move on.
- False positive
- When a safety check flags a legitimate user as a bad actor. In fraud work this is the expensive mistake, because it hurts a real customer.
- Firebase App Check
- A Firebase feature that checks every request to your backend actually came from your real app, not from a script or a bot calling your API directly.Full explainer →
- Firestore
- Firebase's cloud database. It stores data as documents grouped into collections, rather than as rows in tables.
- Grant farming
- Creating fresh accounts over and over to keep claiming a free signup bonus that's only meant to be claimed once.
- Hardware attestation
- A way for a phone to cryptographically prove, using a security chip, that a request really came from your genuine app on real hardware and not from a script pretending to be it.Full explainer →
- Log Analytics
- An upgrade to Cloud Logging that lets you run SQL queries against your logs, so you can aggregate and pivot them the way you would a database table.
- Moderation restocking fee
- A small token charge taken when a generation is pulled back by moderation, so a stream of bad submissions actually costs the sender something.
- Normalized email
- An email address folded to one standard form (lowercased, trimmed, with Gmail dots and `+tags` stripped) so that variations of the same inbox all match as one person.
- OAuth provider
- The trusted third party that handles a 'sign in with...' step, like Apple or Google, confirming who a user is so your app never touches their password.
- Observe-only
- A rollout stage where a control runs its full logic and alerts on what it would have done, but takes no real action yet, so you can watch it against live traffic before enforcing.Full explainer →
- Play Integrity
- Google's Android equivalent of Apple's App Attest. It checks that a request came from a genuine, unmodified app on a real, non-tampered Android device.Full explainer →
- Prompt-repetition hash
- A fingerprint of a prompt's words (after dropping filler words and sorting the rest) so the same request submitted over and over looks identical and reads as brute-forcing.
- Provider sub
- The permanent account ID that Apple or Google hands back for a given person (the `sub` claim in their sign-in token). It stays the same even if the user deletes and recreates their account with you.
- Remote Config
- A Firebase service that stores named settings in the cloud and pushes them to your app or server, so you can flip a behavior on or off without shipping a new build.
- Secure Enclave
- A locked-off security chip inside Apple devices that holds cryptographic keys no software can read, not even Apple's. It signs things without ever exposing the key itself.Full explainer →
- Sock puppet
- A fake or throwaway account, usually one of many, created to pass as a distinct person, often to harvest free credits or fake engagement.
- Starter grant
- The free batch of tokens we give a brand-new account so someone can try Diffusitron before paying anything.
- Traffic-shaping
- Deliberately slowing or smoothing certain requests so heavy or suspicious usage doesn't crowd out everyone else, instead of a hard on-off block.
- Trust score
- A single number we keep per account that adds up cheap signals of legitimacy (a verified email, push on, account age, a past purchase) and decides how much latitude that account gets.
- Velocity cooldown
- A short wait we impose when an account submits work too fast. The faster you go over the line, the longer the next request has to wait.
- Wilson score
- A confidence-aware way to rank a ratio that discounts small samples, so 1 good call out of 1 doesn't rank like 100 out of 100. It answers 'how good is this, given how little we've seen?'Full explainer →
From the Trust & Safety series.